Google relents—adds system password prompt before displaying web passwords

Nov 05, 2013 by Bob Yirka weblog

(Phys.org) —This past summer it was widely reported that Google Chrome had a web security flaw—all of the passwords that were saved for various web sites could be displayed by anyone gaining physical access to a computer, by typing in a simple command. That prompted a lot of people to criticize Google for its lackadaisical approach to web security for its user community. Google defended itself by noting that if someone gained physical access to someone else's computer and were able to use their Chrome browser, they would be able to access all of the web sites that the original owner had saved anyway (because the login and passwords would be filled in automatically), regardless of whether they could see the passwords, which were stored on the local hard drive in plain text.

Now it appears that Google has had a change of heart, at least as it applies to Mac users—Chromium developer François Beaufort has announced on his Google+ page that Google has implemented a "fix" for the problem for users of the Chromium Build for Mac. Now, if a sneaky person gains physical access to someone else's computer and tries to get the browser to show all of the saved , they will be prompted to first type in the Mac OS password. Of course, that still won't stop them from visiting and logging in automatically (because the passwords have still been saved after all) to whatever web sites they find in the list of favorites, their history, etc.

It's not clear why Google had a change of heart, or if the change will be made to Google Chrome (Windows) or if it will, how long that might take. Last summer, company reps said making such a change to Chrome would give users a false sense of security. They suggested that users lock their computer when away from the keyboard to give themselves a true security system.

It's clear that forcing users to type in a system password will prevent miscreants from quickly printing out a list of logins/passwords—whether it will also lull them into a false of remains to be seen—at least for Mac users.

Explore further: FBI investigating reports of attacks on US banks

Related Stories

Google vision of password rings heard at security event

Mar 13, 2013

(Phys.org) —Google finds much appeal in gaining the distinction of leading the way toward a future where USB sticks and rings can replace traditional passwords. The idea of killing off passwords has been ...

Recommended for you

What metadata does the government want about you?

11 hours ago

With the leaking of a discussion paper on telecommunications data retention, we are at last starting to get some clarity as to just what metadata the Abbott government is likely to ask telecommunications ...

To deter cyberattacks, build a public-private partnership

Aug 25, 2014

Cyberattacks loom as an increasingly dire threat to privacy, national security and the global economy, and the best way to blunt their impact may be a public-private partnership between government and business, ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

evropej
1 / 5 (6) Nov 05, 2013
Logging into a site is one thing, getting the password to log in from any pc is another. This is what happens when you get so big and go from technology development to groogling the world with spam.
Zera
1 / 5 (6) Nov 05, 2013
check out lightbeam - google sits at the centre of just about every interaction you have with the "web"
Ducklet
1 / 5 (5) Nov 05, 2013
The password has to be available in plaintext anyway, at some point, or the browser won't be able to auto-fill it.